AVD- Internal Only Session Hosts

J Rippon 81 Reputation points
2021-09-07T10:47:14.66+00:00

Is it possible to make AVD session hosts only accessible from within in the network. I.e. connected via VNet Peering without using Conditional Access. perhaps controlled via the NSG?

It seems to be implied it can be done here https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop

"By connecting Azure Virtual Desktop host pools to an Active Directory domain, you can define network topology to access virtual desktops and virtual apps from the intranet or internet, based on organizational policy"

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,586 questions
Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,451 questions
{count} votes

Accepted answer
  1. KarishmaTiwari-MSFT 19,032 Reputation points Microsoft Employee
    2021-09-09T01:57:44.04+00:00

    Currently, Conditional access seems to be the only sure way since you can limit the use to an IP range with your network and VNet. A VPN connection would, of course, succeed since the VPN would provide the endpoint with a valid corp IP address.

    We can't prevent clients from using TCP connection via the public endpoints for the AVD gateway/broker services.
    It looks like you are looking for functionality like Private Link support, which is not currently available.

    I will share this feedback with the Product team, which could help them plan the product roadmap.

    There is an existing thread on achieving this using Conditional access: https://learn.microsoft.com/en-us/answers/questions/66463/wvd-inbound-ip-address-restrictions.html

    0 comments No comments

0 additional answers

Sort by: Most helpful